#VU53 Improper input validation - CVE-2016-4525

Cybersecurity Help s.r.o.

Published: 2016-06-29 | Updated: 2018-11-22

Vulnerability identifier: #VU53

Vulnerability risk: Medium

CVSSv4.0: 3.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-4525

CWE-ID: CWE-20

Exploitation vector: Local

Exploit availability: No

Description
The vulnerability allow a local user to to insert and run arbitrary code on an affected system.

This vulnerability ts not exploitable remotely and cannot be exploited without user interaction.

Successful exploitation of this vulnerability may lead to several ActiveX controls, which are intended for restricted use, can be marked as safe-for-scripting.

Mitigation
Advantech has released a new version of WebAccess, Version 8.1_20160519, to address the reported vulnerabilities.
This new version is available on:
http://www.advantech.com/industrial-automation/webaccess

External links
https://ics-cert.us-cert.gov/advisories/ICSA-16-173-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Advantech WebAccess